From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: devel@edk2.groups.io
Subject: [PATCH V3 0/6] Add Device Security driver
Date: Thu, 7 Nov 2019 21:38:25 +0800 [thread overview]
Message-ID: <20191107133831.22412-1-jiewen.yao@intel.com> (raw)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303
=============== V3 ===============
The V3 version addresses the feedback below:
Liming Gao:
1. Add SPDM spec version and align to latest one 0.99a.
Rangasai Chaganty:
1. put a reference to the spec at the file header, for Intel PCI security spec.
2. add some high level description above the structure definition that
describes the structure.
3. on the services "GetDevicePolicy" and "SetDeviceState", Add more error
return states
Ray Ni:
1. add comments to each field of structures like EDKII_DEVICE_SECURITY_POLICY
and EDKII_DEVICE_SECURITY_STATE.
2. add comments to all the macros defined in this patch to explain the meaning
and more important how they are going to impact the logic.
3. make the macro short
EDKII_DEVICE_MEASUREMENT_POLICY_REQUIRED -> EDKII_DEVICE_MEASUREMENT_REQUIRED
EDKII_DEVICE_AUTHENTICATION_POLICY_REQUIRED -> EDKII_DEVICE_AUTHENTICATION_REQUIRED
4. rename the SetDeviceState to NotifyDeviceState.
5. add comments to explain clearly what SetDeviceState() needs to do.
6. change the prototype so that caller needs to pass in a policy structure and
GetDevicePolicy() fills the structure buffer using CopyMem.
7. add the version macro for EDKII_DEVICE_SECURITY_POLICY_PROTOCOL.Version,
securitypolicy.version and securitystate.version.
8. add clear debug information for DvSec capability header.
=============== V2 ===============
This patch series add support for device security based
upon the DMTF SPDM specification.
https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_0.95a.zip
We did design review at 18 Oct, 2019.
https://edk2.groups.io/g/devel/files/Designs/2019/1018
And the feedback from the meeting is addressed.
https://edk2.groups.io/g/devel/files/Designs/2019/1018/EDKII-Device%20Firmware%20Security%20v2.pdf
The Device security protocol is added in EDKII repo.
Here we add the producer what follows Intel PCI security spec
to do the device firmware measurement.
https://www.intel.com/content/www/us/en/io/pci-express/pcie-device-security-enhancements-spec.html
The EDKII repo update is at https://github.com/jyao1/edk2/tree/DeviceSecurityMasterV2
The EDKII platform repo update is at https://github.com/jyao1/edk2-platforms/tree/DeviceSecurityMasterV2
The validation has been done on a Intel internal platform.
The device measurement can be shown in TCG event log.
signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Jiewen Yao (6):
IntelSiliconPkg/Include: Add Intel PciSecurity definition.
IntelSiliconPkg/Include: Add Platform Device Security Policy protocol
IntelSiliconPkg/dec: Add ProtocolGuid definition.
IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add PciSecurity.
IntelSiliconPkg/SamplePlatformDevicePolicyDxe: Add sample policy.
IntelSiliconPkg/dsc: Add Device Security component.
.../IntelPciDeviceSecurityDxe.c | 697 ++++++++++++++++++
.../IntelPciDeviceSecurityDxe.inf | 45 ++
.../TcgDeviceEvent.h | 178 +++++
.../SamplePlatformDevicePolicyDxe.c | 204 +++++
.../SamplePlatformDevicePolicyDxe.inf | 40 +
.../IndustryStandard/IntelPciSecurity.h | 92 +++
.../Protocol/PlatformDeviceSecurityPolicy.h | 128 ++++
.../Intel/IntelSiliconPkg/IntelSiliconPkg.dec | 4 +
.../Intel/IntelSiliconPkg/IntelSiliconPkg.dsc | 3 +
9 files changed, 1391 insertions(+)
create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.c
create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.inf
create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/TcgDeviceEvent.h
create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.c
create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.inf
create mode 100644 Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecurity.h
create mode 100644 Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolicy.h
--
2.19.2.windows.1
next reply other threads:[~2019-11-07 13:38 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-07 13:38 Yao, Jiewen [this message]
2019-11-07 13:38 ` [PATCH V3 1/6] IntelSiliconPkg/Include: Add Intel PciSecurity definition Yao, Jiewen
2019-11-08 6:58 ` Ni, Ray
2019-11-07 13:38 ` [PATCH V3 2/6] IntelSiliconPkg/Include: Add Platform Device Security Policy protocol Yao, Jiewen
2019-11-08 6:59 ` Ni, Ray
2019-11-08 7:01 ` Yao, Jiewen
2019-11-08 7:10 ` Ni, Ray
2019-11-09 7:12 ` Yao, Jiewen
2019-11-07 13:38 ` [PATCH V3 3/6] IntelSiliconPkg/dec: Add ProtocolGuid definition Yao, Jiewen
2019-11-08 7:01 ` Ni, Ray
2019-11-07 13:38 ` [PATCH V3 4/6] IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add PciSecurity Yao, Jiewen
2019-11-11 8:19 ` Ni, Ray
2019-11-11 10:16 ` Yao, Jiewen
2019-11-11 14:40 ` Ni, Ray
2019-11-07 13:38 ` [PATCH V3 5/6] IntelSiliconPkg/SamplePlatformDevicePolicyDxe: Add sample policy Yao, Jiewen
2019-11-11 8:23 ` Ni, Ray
2019-11-07 13:38 ` [PATCH V3 6/6] IntelSiliconPkg/dsc: Add Device Security component Yao, Jiewen
2019-11-11 8:23 ` Ni, Ray
2019-11-08 4:23 ` [edk2-devel] [PATCH V3 0/6] Add Device Security driver Javeed, Ashraf
2019-11-08 5:14 ` Yao, Jiewen
2019-11-08 10:25 ` Javeed, Ashraf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191107133831.22412-1-jiewen.yao@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox